Dependency org.yaml:snakeyaml, leading to CVE problem
Closed this issue · 0 comments
CVEDetect commented
Hi, In /axonserver-eventstore-transformation,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
CVE Bug Invocation Path :
io.axoniq.axonserver.eventstore.transformation.jpa.JpaCompactingContexts$1: next()Lio.axoniq.axonserver.eventstore.transformation.compact.CompactingContexts$CompactingContext; /download/apache-maven-3.6.3/repository_mount/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; download/apache-maven-3.6.3/repository_mount/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
[INFO] io.axoniq.axonserver:axonserver-eventstore-transformation:jar:2023.0.0-SNAPSHOT
[INFO] +- io.grpc:grpc-protobuf:jar:1.50.2:compile
[INFO] | +- io.grpc:grpc-api:jar:1.50.2:compile
[INFO] | | +- io.grpc:grpc-context:jar:1.50.2:compile
[INFO] | | \- com.google.errorprone:error_prone_annotations:jar:2.14.0:compile
[INFO] | +- com.google.protobuf:protobuf-java:jar:3.21.7:compile
[INFO] | +- com.google.api.grpc:proto-google-common-protos:jar:2.9.0:compile
[INFO] | +- io.grpc:grpc-protobuf-lite:jar:1.50.2:compile
[INFO] | \- com.google.guava:guava:jar:31.1-android:runtime
[INFO] | +- com.google.guava:failureaccess:jar:1.0.1:runtime
[INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:runtime
[INFO] | +- org.checkerframework:checker-qual:jar:3.12.0:runtime
[INFO] | \- com.google.j2objc:j2objc-annotations:jar:1.3:runtime
[INFO] +- io.axoniq:axonserver-plugin-api:jar:4.7.0-SNAPSHOT:compile
[INFO] +- io.axoniq.axonserver:axonserver-filestore:jar:2023.0.0-SNAPSHOT:compile
[INFO] | \- org.springframework.data:spring-data-commons:jar:2.7.1:compile
[INFO] | +- org.springframework:spring-core:jar:5.3.21:compile
[INFO] | | \- org.springframework:spring-jcl:jar:5.3.21:compile
[INFO] | +- org.springframework:spring-beans:jar:5.3.21:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- io.projectreactor:reactor-core:jar:3.4.19:compile
[INFO] | \- org.reactivestreams:reactive-streams:jar:1.0.4:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.7.1:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-aop:jar:2.7.1:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter:jar:2.7.1:compile
[INFO] | | | +- org.springframework.boot:spring-boot:jar:2.7.1:compile
[INFO] | | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.1:compile
[INFO] | | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.1:compile
[INFO] | | | | +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] | | | | | \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] | | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] | | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] | | | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] | | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | | | \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] | | +- org.springframework:spring-aop:jar:5.3.21:compile
[INFO] | | \- org.aspectj:aspectjweaver:jar:1.9.7:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.7.1:compile
[INFO] | | +- com.zaxxer:HikariCP:jar:4.0.3:compile
[INFO] | | \- org.springframework:spring-jdbc:jar:5.3.21:compile
[INFO] | +- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile
[INFO] | +- jakarta.persistence:jakarta.persistence-api:jar:2.2.3:compile
[INFO] | +- org.hibernate:hibernate-core:jar:5.6.9.Final:compile
[INFO] | | +- org.jboss.logging:jboss-logging:jar:3.4.3.Final:compile
[INFO] | | +- net.bytebuddy:byte-buddy:jar:1.12.11:compile
[INFO] | | +- antlr:antlr:jar:2.7.7:compile
[INFO] | | +- org.jboss:jandex:jar:2.4.2.Final:compile
[INFO] | | +- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] | | +- org.hibernate.common:hibernate-commons-annotations:jar:5.1.2.Final:compile
[INFO] | | \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.6:compile
[INFO] | | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO] | | +- org.glassfish.jaxb:txw2:jar:2.3.6:compile
[INFO] | | +- com.sun.istack:istack-commons-runtime:jar:3.0.12:compile
[INFO] | | \- com.sun.activation:jakarta.activation:jar:1.2.2:runtime
[INFO] | +- org.springframework.data:spring-data-jpa:jar:2.7.1:compile
[INFO] | | +- org.springframework:spring-orm:jar:5.3.21:compile
[INFO] | | +- org.springframework:spring-context:jar:5.3.21:compile
[INFO] | | | \- org.springframework:spring-expression:jar:5.3.21:compile
[INFO] | | \- org.springframework:spring-tx:jar:5.3.21:compile
[INFO] | \- org.springframework:spring-aspects:jar:5.3.21:compile
[INFO] +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] \- io.axoniq.axonserver:axonserver-commons:jar:2023.0.0-SNAPSHOT:compile
[INFO] \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.21:compile
[INFO] +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.6.21:compile
[INFO] \- org.jetbrains:annotations:jar:13.0:compile
Suggested solutions:
Update dependency version
Thank you very much.